Please Help! My Hijack log

[pizzapimp1]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 11:40:05 AM, on 11/29/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\FastNetSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\All Users\Application Data\7eaa4\WS555.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\Mozilla Firefox\firefox.exe

F:\Computer Repair Utility Kit\Computer Repair Utility Kit\Virus and Malware Removal Tools\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tkjh.huo sqmtm

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 88.198.198.202 google.ae

O1 - Hosts: 88.198.198.202 google.as

O1 - Hosts: 88.198.198.202 google.at

O1 - Hosts: 88.198.198.202 google.az

O1 - Hosts: 88.198.198.202 google.ba

O1 - Hosts: 88.198.198.202 google.be

O1 - Hosts: 88.198.198.202 google.bg

O1 - Hosts: 88.198.198.202 google.bs

O1 - Hosts: 88.198.198.202 google.ca

O1 - Hosts: 88.198.198.202 google.cd

O1 - Hosts: 88.198.198.202 google.com.gh

O1 - Hosts: 88.198.198.202 google.com.hk

O1 - Hosts: 88.198.198.202 google.com.jm

O1 - Hosts: 88.198.198.202 google.com.mx

O1 - Hosts: 88.198.198.202 google.com.my

O1 - Hosts: 88.198.198.202 google.com.na

O1 - Hosts: 88.198.198.202 google.com.nf

O1 - Hosts: 88.198.198.202 google.com.ng

O1 - Hosts: 88.198.198.202 google.ch

O1 - Hosts: 88.198.198.202 google.com.np

O1 - Hosts: 88.198.198.202 google.com.pr

O1 - Hosts: 88.198.198.202 google.com.qa

O1 - Hosts: 88.198.198.202 google.com.sg

O1 - Hosts: 88.198.198.202 google.com.tj

O1 - Hosts: 88.198.198.202 google.com.tw

O1 - Hosts: 88.198.198.202 google.dj

O1 - Hosts: 88.198.198.202 google.de

O1 - Hosts: 88.198.198.202 google.dk

O1 - Hosts: 88.198.198.202 google.dm

O1 - Hosts: 88.198.198.202 google.ee

O1 - Hosts: 88.198.198.202 google.fi

O1 - Hosts: 88.198.198.202 google.fm

O1 - Hosts: 88.198.198.202 google.fr

O1 - Hosts: 88.198.198.202 google.ge

O1 - Hosts: 88.198.198.202 google.gg

O1 - Hosts: 88.198.198.202 google.gm

O1 - Hosts: 88.198.198.202 google.gr

O1 - Hosts: 88.198.198.202 google.ht

O1 - Hosts: 88.198.198.202 google.ie

O1 - Hosts: 88.198.198.202 google.im

O1 - Hosts: 88.198.198.202 google.in

O1 - Hosts: 88.198.198.202 google.it

O1 - Hosts: 88.198.198.202 google.ki

O1 - Hosts: 88.198.198.202 google.la

O1 - Hosts: 88.198.198.202 google.li

O1 - Hosts: 88.198.198.202 google.lv

O1 - Hosts: 88.198.198.202 google.ma

O1 - Hosts: 88.198.198.202 google.ms

O1 - Hosts: 88.198.198.202 google.mu

O1 - Hosts: 88.198.198.202 google.mw

O1 - Hosts: 88.198.198.202 google.nl

O1 - Hosts: 88.198.198.202 google.no

O1 - Hosts: 88.198.198.202 google.nr

O1 - Hosts: 88.198.198.202 google.nu

O1 - Hosts: 88.198.198.202 google.pl

O1 - Hosts: 88.198.198.202 google.pn

O1 - Hosts: 88.198.198.202 google.pt

O1 - Hosts: 88.198.198.202 google.ro

O1 - Hosts: 88.198.198.202 google.ru

O1 - Hosts: 88.198.198.202 google.rw

O1 - Hosts: 88.198.198.202 google.sc

O1 - Hosts: 88.198.198.202 google.se

O1 - Hosts: 88.198.198.202 google.sh

O1 - Hosts: 88.198.198.202 google.si

O1 - Hosts: 88.198.198.202 google.sm

O1 - Hosts: 88.198.198.202 google.sn

O1 - Hosts: 88.198.198.202 google.st

O1 - Hosts: 88.198.198.202 google.tl

O1 - Hosts: 88.198.198.202 google.tm

O1 - Hosts: 88.198.198.202 google.tt

O1 - Hosts: 88.198.198.202 google.us

O1 - Hosts: 88.198.198.202 google.vu

O1 - Hosts: 88.198.198.202 google.ws

O1 - Hosts: 88.198.198.202 google.co.ck

O1 - Hosts: 88.198.198.202 google.co.id

O1 - Hosts: 88.198.198.202 google.co.il

O1 - Hosts: 88.198.198.202 google.co.in

O1 - Hosts: 88.198.198.202 google.co.jp

O1 - Hosts: 88.198.198.202 google.co.kr

O1 - Hosts: 88.198.198.202 google.co.ls

O1 - Hosts: 88.198.198.202 google.co.ma

O1 - Hosts: 88.198.198.202 google.co.nz

O1 - Hosts: 88.198.198.202 google.co.tz

O1 - Hosts: 88.198.198.202 google.co.ug

O1 - Hosts: 88.198.198.202 google.co.uk

O1 - Hosts: 88.198.198.202 google.co.za

O1 - Hosts: 88.198.198.202 google.co.zm

O1 - Hosts: 88.198.198.202 google.com

O2 - BHO: C:\WINDOWS\system32\phxjgk.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\phxjgk.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [system Defender] "C:\Documents and Settings\All Users\Application Data\7eaa4\WS555.exe" /s /d

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

O4 - HKLM\..\Run: [girofaviw] Rundll32.exe "c:\windows\system32\panifiye.dll",a

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7

O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\JODYM~1\ntuser.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JODYM~1\LOCALS~1\Temp\smss.exe

O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://www.msi.com.tw

O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://aolsvc.aol.com/onlinegames/trydiner...h2.1.0.0.48.cab

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab

O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-tri...tg.1.0.0.33.cab

O20 - AppInit_DLLs: yekufubi.dll c:\windows\system32\panifiye.dll

O21 - SSODL: rinoyotup - {a13148d2-abb5-45fd-9e43-8d1d24e08417} - c:\windows\system32\panifiye.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\phxjgk.dll

O22 - SharedTaskScheduler: gahurihor - {a13148d2-abb5-45fd-9e43-8d1d24e08417} - c:\windows\system32\panifiye.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: fastnetsrv Service (fastnetsrv) - Unknown owner - C:\WINDOWS\system32\FastNetSrv.exe

O23 - Service: Google Update Service (gupdate1c9a761b9a47940) (gupdate1c9a761b9a47940) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 11377 bytes

[Maniac]

Hello pizzapimp1! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Maniac and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• I will help you only with clean your system from malware. For other problems with your machine, start a new topic in the PC Help
  
• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Now:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

[Maurice Naggar]

@pizzapimp1

Please advise us soonest if you have gotten guided help elsewhere and have resolved the issues.

This system has serious infections, including Vundo and an infected Hosts file.

If we do not hear back from you in a day or two, we will close this thread. Please reply soonest.

P.S. I have been advised by pizzapimp1 that the issues are resolved. This topic is closed.